I'd like to note that we found a total of 6 bugs in an afternoon, 4 DoS and 2 remote code execution bugs. We have weaponized one of those to be reliable and its diffrent that what Thor has found. I can't speak for anybody else but the bugs found in the beta copy of Safari on Windows work on the production copy on OSX as well (same code base for alot of stuff). The exploit is robust mostly thanks to the lack of any kind of adanced security features in OSX, I write about it here.

UPDATE 5: I've been asked what our disclosure policy is. Its pretty simple, in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.

60 comments:

My crash tool for Safari on Windows is the bookmarks toolbar. Importing bookmarks crashed the browser as did visiting one of the links. Yeah, this browser is fast loading pages, but it's still pretty buggy. Probably should have been an alpha version, not beta. At about a crash a minute, I don't think the Jobs Spin Machine could consider it more stable than Windows.

How many comments have you censored, I wonder? There's not an ounce of professionalism in any of your behavior or words; it's all the chest-pounding and look-at-me bluster of a twelve-year-old boy struggling with puberty. If you actually desire to be professional, then either shut your damned trap entirely or report the issues the way a professional security researcher would report them... for the betterment of all good folks and not just you.

mark.a.craig: Please explain to me the value in reporting vulnerabilities to an organization that treats them as marketing fodder and requires press to fix anything serious in a timely fashion. We are doing the responsible thing: letting everyone know that the vulnerability for marketing fodder will not be tolerated anymore from vendors, in the end their attitude makes the end user unsafe.

Nick:Sortof... With Apple's resources, it's hard to imagine that this many issues ought to have been discovered mere hours after its release...One gets the feeling it was maybe just lying around needing to be fixed, and they pushed it as a beta to draw more people to the newly-Leopardized-website...

Either way, it's sad to see this happen. It could easily have been avoided.

Maybe you will like to know that for Spanish version of Windows (I don't know for other languages), Safari will not render neither italic nor bold characters, and it crashes whenever you try to add a bookmark:

Yeah cuz we know Firefox has an impeccable track record. Maybe I'm color blind, but I see a lot of red over the passage of time. There is no place to run other then going back to beating the rocks together.

veggiedude: Yes I know what beta means. I understand its not a final version. And I am certainly not here to discuss SDLC with anyone im just saying before ANY release I would fuzz my product, even though its beta, look at the bottom of this blog entry, see all those links to erattasec's post? Those don't look too good for apple, beta or not.

This sort of proves that the reason there are fewer attacks against the Macintosh is not because it's more secure, but because nobody cares. It wasn't until Apple released a Windows version of Safari that hackers cared, and found a bunch of easily discoverable bugs that affect both the Windows and Macintosh.

wORKed really Well for me last night. The Install slowed down my computer and Right when it opened the browser i had to make it the Highest Priorty.. and it ran Pefectly then. Ive got 1gb of ram and a newer base intel core duo processor on my Lappy. So.. maybe thats why its working for me. Having to make it High Priority sucks but having it Freaking FASTLY Load Gizmodo and other pages I love is Aewsome and then I dont care about that program being in front of the line.

One problem I have with the 'less exploits because noone cares' sentiment is the sheer volume of security professionals whose made base camp on OSX for workstation purposes. Something doesn't jive... not that I'm endorsing the OSX security high horse, but surely one cares about their OWN stuff.

You keep saying "production copy" on OS X. How is that? Yes it re-writes the current Safari but ONLY if you go through the trouble of choosing to participate in the BETA. The "beta" is is not available via software update you have to manually find and download it. It should not be considered an update but a "beta" on OS X as far as I have read...

You acknowledge all this prior to downloading here:http://www.apple.com/safari/download/terms_mac.html

Apple stated it was designed to be secure since day one yes. But they weren't trying to be as cocky as you are making them out to be. They released it as a beta. Not an indestructible commercial copy. If they were trying to be cocky about how great their product was they would have skipped the whole beta thing and just released a final. But they obviously knew their would be bugs to find... hence BETA.

I'm glad their are people like you to help find bugs, exploits, etc but you sound a bit cocky when being unprovoked!

So, it does still seem strange that they find vulnerabilities for safari, quicktime etc all the time. Its not a secret, its in every pc magazine article and on apples website updates area. I mean, obviously we have updates for a reason.

Vulnerabilities are fewer on the mac by hundreds of thousands if not millions but they still do exist. If you would have found these vulnerabilities prior to this conference then you would have probably never made a headline. But since it was a major release on windows it is being blown way out of proportion it seems.

6,7 or 10 vulnerabilities in one day are a big deal yes but they were found in a beta program. How many of those were exploitable in the 2.04 or whatever on OS X? Is that such a big deal/number compared to what is normal with Safari vulnerabilities?

It just seems like you guys are all attacking this comment made by apple WAY too hard for no reason...

I posted about Safari crashing also. Different error, but frustrating all the same. Yes, I know it's in beta, but beta means not alpha, and usually that means the app opens ... I can't even get to the first web page.

I discovered a bug involving Google Reader + Safari 3. Whenever I try to use the new email option to email myself a headline Safari crashes - immediately! I haven't try to do this on a windows machine.

Honestly guys what do you expect from a beta release. You reaction is exactly what Apple expects as they need to refine it before the final release.Also you have no proof that this actually would happen on Mac OS X. Even running the best piece of software on a crappy OS (Windows) would lead to some issues...http://www.mostofmymac.com

The problem is that these bugs are EASILY found when looked for. No one disagrees that there are bugs in software, but the problem is that with some simple work and no access to the source code, these glaring bugs were found. Apple should have found these BEFORE releasing the product.

lukasz: as far as I know, Konqueror is pretty well fuzzed by now. (Besides, the code bases are fairly divergent and security holes that affect one often don't affect the other). Last time I ran a few fuzzers over it, it had a couple of DoS bugs, but as far as I could tell they weren't exploitable for anything else.

Are the bugs that are EASILY found in the Safari for mac 2.0.4 or are they in the BETA? I'm not clear on which bugs are found in which but if its in the BETA then who cares? They put software in BETA for this Exact purpose.

If not... its still not headline news as far as I'm concerned. Its weds now. How many more vulnerabilities have been found aside from the initial 8 found on the first day?

Safari on Windows is not just insecure and unstable, it is deliberately deceptive:

When you select the option "Accept Cookies: NEVER", it does not honor that: it stores cookies permanently ANYWAY. (That is why the "show cookies" button is disabled... so you don't notice that you are being lied to). Apple was sued in 2004 for deliberately using an Eminem song in an iTunes commercial after permission had been denied... so the company appears to have an official policy of acting in bad faith. [1]* Apple's "Safari wardrobe malfunction" is likewise deliberate--because if it was not, the "Accept Cookies: NEVER" option would be disabled too (not just the "show cookies" option).

If, by fraudulent labeling, your software claims that it does something which it does not, isn't that false advertising? (And for the purpose of litigation, does it even matter if Apple's false advertising was intended for marketing gains, or for corporate espionage?) It's just not credible that this was a simple mistake--and now that we have prima facie evidence of the company's dishonesty, we have to wonder if Safari is collecting OTHER information about our online activities and transmiting it back to Apple. They could be electronically sifting through all of this to determine who is reading what... or who is talking about what Apple is doing. The possibility is not mere fantasy, because we already learned that Apple's management is psychotically-paranoid about "leaks" when they threatened to sue bloggers and website operators just for talking about what might be included in the next version of MacOS (leopard). [2]*

Apple's management has clearly gone insane: they are overwhelmed with paranoia about software competition, without any justification. What can realistically "compete" with MacOS? Linux? —Different versions of Linux have incompatible applications and installers! That's not a threat. —Windows, then? ...Ridiculous! The basic Windows architecture is fatally-flawed, and Microsoft is too busy trying to fix serious bugs at the most fundamental level of the OS to worry about improving the user-interface in the near-term. Windows dominates the market ONLY because Apple won't license MacOS to PC manufacturers: it is common knowledge that the "appeal" of Windows has always been linked to the freedom to choose a hardware vendor, not any kind of superior technology. Besides, the next Windows release of any significance is years away. As always, it will perform worse and cost more than the previous version (and it will be pathetically unstable). In comparison to the alternatives, MacOS X is already so superior that there is nothing worth hiding about planned improvements... and yet Apple is obsessed with silencing even POSITIVE criticism of it! There is just no polite way to put this: it is absolute madness... and if they are that crazy, there's no telling what else they might do for the sake of this paranoia. Apple sure has some great engineers, but the company's directors have lost their minds, and this Safari browser trickery only serves to underscore the point. Honestly, don't they have anything better to do with their time?!

IF YOU ARE PREPARING FOR A JOB IN .NET,HTML,JAVA,SEO,SQL,PHP,FLASH,TALLY ............. AND OTHER SOFTWARES OR IN IT SECTOR FOR PREPARATION AND GETTING A JOB YOU CAN TAKE HELP FROM http://www.softwareitjob.com

IF YOU ARE PREPARING FOR A JOB IN .NET,HTML,JAVA,SEO,SQL,PHP,FLASH,TALLY ............. AND OTHER SOFTWARES OR IN IT SECTOR FOR PREPARATION AND GETTING A JOB YOU CAN TAKE HELP FROM www.softwareitjob.com